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ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
Capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 Does the draft guidance cover the relevant issues about the right 
of access? 


Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, what other issues would you like to be 
covered in it? 


The issue needs to be addressed that if someone makes a SAR it normally means the end 
of the relationship between the two parties. 


Organisations need to try and avoid getting to the point where individuals make a SAR by 
handling complaints and requests for documents effectively in the normal course of 
business. Not all requests for documents to an organisation should be treated as a SAR. 


It should be noted that SARs are a blunt instrument and that in many cases the requestor 
may not want a copy of all the personal information an organisation holds about them. 
The requestor may only be interested in a specific document and therefore the 
organisation should always check what personal information the requestor wants. The 
requestor may have previously asked for the document and the organisation has not 
provided the document. 


A SAR may also be made in combination with other data subjects rights, for example the 
right to object and this linkage needs to be addressed in the document. 


In the case of requests for information about children mention should be made of the 
need to verify that the person making the request does have parental responsibility over 
the child to avoid disclosing information to the wrong person in the case of looked after 
children. 


The guidance also needs to stress the importance of making sure that there is nota 
personal data security breach by disclosing personal information to the wrong person 
when responding to a data security breach. This can be avoided by carrying out identity 
checks. 


Q2 Does the draft guidance contain the right level of detail? 


Yes 
X No 


Unsure/don’t know 


If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


In the section on “Who is responsible” on page 5 of the draft guidance reference should 
be made to the other requirements under the GDPR/Data Protection Act 2018 relating to 
the need for a joint controller/ controller to processor agreement. 


The issue of responding to SARs needs to be addressed in such agreements rather than 
when the first SAR comes in to the other joint controller/processor. 


In the section on “What about archived and back -up information records” on page 25 
mention should be made that if this information is the same as on the live system there is 
no need to provide a copy of the duplicated personal information but only a note that a 


copy is on the archived/back- up system. Archived information may have been 
anonymised in which case it falls outside the definition of personal data and therefore 
does not need to be disclosed in response to a SAR. Archived personal data which is 
pseudonymised will need to be disclosed in response to a SAR as pseudonymous data 
falls within the definition of personal data. 


Q3 Does the draft guidance contain enough examples? 


x Yes 
No 


Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 


Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Q5 On a scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O O O O 


Q6 Why have you given this score? 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O 0O 0O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

X An individual acting in a professional capacity 

O On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


Liverpool School of Tropical Medicine 


What sector are you from: 


Further education 


Q10 How did you find out about this survey? 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


CES E 0 Be O ME US A E E X 


Thank you for taking the time to complete the survey. 


